Wave Systems Corp. (fka WAVXQ)

[Methinks]

Securing supply chains – TCG’s answer to attacks

https://trustedcomputinggroup.org/securing-supply-chains-tcgs-answer-to-attacks

Date Published: May, 19, 2021
In 2020 alone, there was a shocking 430% increase in supply chain attacks, according to research by Sonatype. With this statistic in mind, it is clear that supply chains require better security, in order to protect them from the large rise in attacks we have witnessed.

Why are supply chain attacks so devastating?

In the grand scheme of things, supply chain attacks are a relatively recent threat – but they are on the rise.

Supply chain attacks mean that someone has infiltrated your system, typically through tampering with the manufacturing process of a physical component or during distribution of a software component. Once carried out, some supply chain attacks have the potential to access source code repositories, build processes and distribute malware. By infecting legitimate applications with this malware, the malicious code is allowed to run with the same trust and permissions as the original application.

An example of sophisticated supply chain attackers are the cyber espionage group, ‘Dragonfly’ who targeted energy companies across Europe and North America in recent years. Operating since 2011, the group have been known to target companies via their supply chains, first gaining access to legitimate industrial control system (ICS) software, then replacing files with their own infected versions. Essentially, they use legitimate files as Trojan Horses for their own malware. The same concept applies to hardware and IoT devices; attackers are able to identify the weakest link in the supply chain, and tamper with devices before they are distributed by the vendor.

Once downloaded or obtained by users, the malware may contain remote access functionalities, giving the hackers some control over the system it has been installed on. The increasing amounts of personal data, identity information and financial information that is being stored within devices makes these attacks very attractive to perform, but raises the risk for those that are vulnerable to them.

The ever-evolving nature of cyber-attacks require ever-evolving solutions to combat them. When a piece of software or hardware has been tampered with at the source, malware can be hard to detect. This is because the end user has sourced it directly from the third-party vendor, therefore has no reason to believe it is anything but legitimate.

The victims of supply chain attacks are commonly smaller businesses, who provide a product to multiple, larger companies. Consequently, a small-scale, targeted attack at a specific point in a supply chain can have monumental destructive capabilities as that software or hardware is more widely distributed.

Because of their size and therefore the complexity of their supply chain, it is not uncommon for these larger companies to have limited knowledge of their entire supply chain. This provides the attackers with a layer of anonymity, making attacks of this kind all the more attractive.

“Within a supply chain, it is difficult to truly know whether a system or device has been tampered with in any way”, said Amy Nelson, Chair of PC Client Work Group at TCG. “Before this specification was released, it was a difficult, if not impossible, to determine the security status of multiple endpoints within a network.”

TCG’s new solution

Now, TCG have developed a new PC Client Firmware Integrity Measurement (FIM) specification. This specification provides an official definitive guide to verifying the integrity of equipment bought by the enterprise. It provides a framework to establish the integrity baseline of the firmware running on a device at the manufacturing stage and offers a process for baseline measurement that allows for security result comparisons throughout its lifecycle.

“Until now, there was no programmatic way to establish the integrity of devices and networks within enterprise systems, making this a significant advancement in the security of supply chains. With the FIM spec, it is now possible to know if equipment is reliable by comparing the integrity of firmware to manufacturer endorsements to identify what should be running, or not”, said Amy Nelson.

The FIM works best alongside the Reference Integrity Manifest specification (RIM), which reflects a baseline measurement for comparison to inform trusted decision making. It can also be used alongside the TCG Platform Certificate Specification, to capture more information on the configuration changes to improve device security.